HAProxy community

Trouble with getting TLS 1.3 working on Ubuntu 16.04

Hi there,

I’m having an issue with my Haproxy installtion. I’m trying to get TLS 1.3 working successfully. when using the SSL test site, 1.3 is not being served.

I have made the required changes in the .cfg file, but I think the problem is the version of OpenSSL HAProxy is built withm which is 1.0.2g. Here’s the output from haproxy -vv

    HA-Proxy version 1.8.24-1ppa1~xenial 2020/02/16
    Copyright 2000-2020 Willy Tarreau <willy@haproxy.org>

    Build options :
    TARGET  = linux2628
    CPU     = generic
    CC      = gcc
   CFLAGS  = -O2 -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label
  OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE2=1 USE_PCRE2_JIT=1 USE_NS=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.0.2g  1 Mar 2016
Running on OpenSSL version : OpenSSL 1.0.2g  1 Mar 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE2 version : 10.21 2016-01-12
PCRE2 library supports JIT : yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
        [SPOE] spoe
        [COMP] compression
        [TRACE] trace

I can see that TLSv1.3 is not supported. Here’s the output from openssl version

OpenSSL 1.1.0h 27 Mar 2018 (Library: OpenSSL 1.1.1d 10 Sep 2019)

So OpenSSL is the required version, I just don’t know how to link HAProxy to use the newer libraries. I’m not an expert on these things. I’ve tried to remove current version of HAProxy and reinstall, but this made no difference. I’m assuming I will have to build from source, but I not sure how I go about this without affecting any other services that are depenant on OpenSSL libraries.

Sorry if this is a novice question, but I’m an Windows man, dabbling in a bit of Linux.

Any help would be very much appreciated.

Regards,

Rob

You need to build haproxy against that version of ssl.

Upgrade to Ubuntu 18.04 LTS.

Please do not try to build openssl and/or haproxy on your own, unless you know what you are doing. I fear you probably already tried that, otherwise I can’t explain why you would have openssl 1.1.1d under Ubuntu Xenial.